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The National Inslilulc of Standards and Technology (NIST) is 
responsible for developing standards, providing technical assistance, 
and conducting research for computers and related systems. These 
activities provide technical support to government and industry in the 
effective, safe, and economical use of computers. With the passage of 
the Computer Security Act of 1987 (P.L. 100-235), NISTs activities 
also include the development of standards and guidelines needed to 
assure the cost-effective security and privacy of sensitive information 
in Federal computer systems. This guide is just one of three 
brochures designed for a specific audience. The "Executive Guide to 
the Protection oflnfi >rmalion Resources," and the "Managers Guide 
to the Protection of Information Resources" complete the series 
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Introduction 



Today's computer technology, with microcomputers and on-line ac- 
cess, has placed the power of the computer where it belongs, in 
YOUR hands. YOU, the users, develop computer applications and 
perform other data processing functions which previously were or!/ 
done by the computer operations personnel. These advances have 
greatly improved our efficiency and effectiveness but, also present a 
serious challenge in achieving adequate data security. 

While excellent progress has been made in computer technology, 
very little has been done to inform users of the vulnerability of data 
and information to such threats as unauthorized modification, dis- 
closure, and destruction, either deliberate or accidental. This guide 
wil! make you aware of some of the undesirable things that can hap- 
pen to data and will provide some prac ieal solutions for reducing 
your risks tc these threats. 

WHO IS RESPONSIBLE FOR PROTECTING DATA AND INFOR- 
MATION? 

The statement that "security is everyone's responsibility" is absolutely 
true. Owners, developers, operators and urers of information systems 
each has a personal responsibility to protect these resources. Func- 
tional managers have thq responsibility to provide appropriate 
security controls for any information resources entrusted to them. 
These managers are personally responsible for understanding the 
sensitivity and criticality of their data and the extent of losses that 
could occur if the resources arc not protected. Managers must en- 
sure that a!! users of their data and systems arc made aware of the 
practices and procedures used to protect the information resources. 
When you don't know what your security responsibilities arc, ASK 
YOUR MANAGER OR SUPERS ISOR. 

WHAT IS "SENSITIVE 11 DATA? 

All data is sensitive to some degree, exactly how sensitive k unique to 
each business environment. Within the Federal Government, per- 
sonal information is sensitive to unauthorized disclosure under the 
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Privacy Act of 1974. In some cases, data is far more sensitive to ac- 
cidental errors or omissions that compromise accuracy, integrity, or 
availability. For example, in a Management Information System, in- 
accurate, incomplete, or obsolete information can result in erroneous 
management decisions which could cause serious damage and re- 
quire time and money to rectify. Data and information which arc criti- 
cal to an agency's abilit) to perform its mission are sensitive to non- 
availability. 

Still other data arc sensitive to fraudulent manipulation for personal 
gain. Systems that process electronic funds transfers, control inven- 
tories, issue checks, control accounts receivables and payables, etc., 
can be fraudulently exploited resulting in serious losses t^ an agency 

One ua> to determine the sensitivity of data is to ask the qucs'ions 
"What will it cost if the data is wrong? Manipulated for fraudulent 
purposes? Not available? Given to the wrong person?" If the damage 
is more than you can tolerate, then ihc data is sensitive and should 
have adequate security controls to prevent or lessen the potential loss. 

WHAT RISKS ARE ASSOCIATED WITH THE USE OF COM- 
PUTERS? 

Over the past several decades, computers have taken over virtually 
all of our major record-keeping functions. Recently, personal com- 
puters have made it cost-effective to automate many office functions. 
Computerization has many advantages and is here to stay; however, 
automated systems introduce new risks, ami we should take steps to 
contiol those risks. 

We should be concerned with the same risks that existed when 
manual procedures were used, as well as some new risks created by 
the unique nature of computers themselves. One risk introduced by 
computers is the concentration of tremendous amounts of data in 
one location. The greater the concentration, the greater the conse- 
quences of loss or damage. Another example is that computer users 
access information from remote terminals. We must be able to posi- 
tively identify the user, as well as ensure that the user is only able to 
access information and functions that have been authorized. 
Newspaper accounts of computer "hackers," computer virus attacks, 



S 



and other types of intruders underscore the reality of the threat to 
government and commercial computer systems. 

HOW MUCH SECURITY IS ENOUGH? 

No matter how many controls or safeguards we use, wo can never 
ichieve total security. We can, however, decrease the risk in propor- 
tion to the strength of the protective measures. The degree of protec- 
tion is based on the value of the information; in other words, how 
serious would be the consequences if a certain type of information 
were to be wrongfully changed, disclosed, delayed, or destroyed? 
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General Responsibilities 



Ail Federal computer system users share certain general respon- 
sibilities for information resource protection. The following con- 
siderations should guide your actions. 

• Treat information as you would any valuable asset 

You would not walk away from your desk leaving cash or other valu- 
ables unattended. You should take the sa.ne care to protect informa- 
tion. If you are noi sure of the value or sensitivity of the various kinds 
of information you handle, ask your manager for guidance. 

• Use government computer systems only for lawful 
and authorized purposes. 

The computer systems you use in your daily work should be used only 
for authorized purposes and in a lawful manner. There are computer 
crime laws that prescribe criminal penalties for those who iiiegaiiy ac 
cess Federal computer systems or data. Additionally, the un- 
authorized use of Federal computer systems or use of authorized 
privileges for unauthorized purposes could result in disciplinary ac- 
tion. 

• Observe policies and procedures established by 
agency management. 

Specific requirements for the protection of information have been es- 
tablished by your agency. These requirements may be found in policy 
manuals, rules, or procedures. Ask youi manager if you arc unsure 
about your own responsibilities for p r otection of information. 

• Recognize that you are accountable for your ac- 
tivities on computer systems. 

After you receive authorization to use any Federal computer system, 
you become personally responsible and accountable for your activity 
on the system. Accordingly, your use should be restricted to those 
functions needed to carry out job responsibilities, 
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• Report unusual occurrences to your manager. 

Many losses would be avoided if computer users would report any 
circumstances that seem unusual or irregular. Warning signals could 
include such things as uncxplainablc system activity that you did not 
perform, data that appears to be of questionable accuracy, and unex- 
pected or incorrect processing results. If you should notice anything 
of a questionable nature, bring it to your manager's attention. 
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Security and Control Guidelines 



Some common-sense protectee measures can reduce ihe risk of loss, 
damage, or disclosure of information. Following are the mosl impor 
lanl areas of information systems controls thai assure that the system 
is properly used, resistant to disruptions, and reliable. 

♦ Make certain no one can impersonate you. 

II a password is used to \erify sour identity, this is the key to system 
security. Do not disclose your password to anyone, or allow anyone 
to observe your password as you enter it during the sign-on process 
If you choose your own password, avoid selecting a password with 
any personal associations, or one that is \cry simple or short. The aim 
is to select a password that would be difficult to guess or deri\e 
"1REDDOG" would be a belter password than ' DUKE." 

If your system allows you to change your own password, do so 
regularly. Find out what your agency requires, and change passwords 
at least that frequently. Periodic password changes keep undetected 
intruders from ionliiuu<usl\ using the password of a legitimate user. 

After you are logged on, tin computer will attribute all activity to 
your user id. Therefore,* never Ica\e } jur terminal without logging off 
- e\en for a few minutes. Alway % log off or otherwise inacli\alc your 
terminal so no oik louIJ perform any activity under your user id 
when you are away from the area. 

♦ Safeguard sensitive information from disclosure to 
others. 

People often forget to lock upsensili\c reports and computer media 
eonlaining sensitive data when they leave their work areas Informa- 
tion carelessly left on lop of desks and in unloeked storage can be 
easually observed, or deliberately stolen, Every employee who works 
with sensitive information should have lock able space available for 
storage when information is not in use. If you aren't sure what infor- 





nulion should be locked up or what locked storage is available, ask 
your manager. 

While working, be aware of ihc visibility of daia on your personal 
compulcr or icrmina! display screen. You may need lo reposition 
equipment or furniture lo climinaic over ihc-shouldcr viewing. Be 
especially careful near windows and in public areas. Label all sensi- 
tive diskelles and olhcr compulcr media lo alerl olhcr employees of 
ihc need lo be especially careful. When no longer needed, sensitive 
information should be deleted or discarded in such a way lhal un- 
authorized individuals cannot recover ihc data. Primed reports 
should be findv shredded, while dala on magnetic media should be 
overwritten. Files that are merely deleled are not really erased and 
can still be recovered. 

• Install physical security devices or software on per- 
sonal computers. 

The value and popularity of personal computers make thcfl a big 
problem, especially in lovv-securily office areas. Relatively inexpen- 
sive hardware devices greatly reduce ihe risk of equipment loss. Su<Ji 

ices involve lock- down cabins or enclosures lhal ailach equip- 
ment lo furniture. Another approach is lo place equipment in lock- 
able cabinets. 

When dala is stored on a hard disk, lake some steps lo keep un- 
authorized individuals from accessing lhal data. A power lock device 
onl) allows key-holders lo turn on power to the personal computer. 
Where ihere is a need to segregate information between multiple 
authorized users of a personal computer, additional security in ihe 
form of software is probably needed. Specific files could be 
cncrypled lo mane ihem unintelligible lo unauthorized siaff, or ac- 
cess control software can divide storage space among authorized 
users, restricting each user to iheir own files. 

• Avoid costly disruptions caused by data or 
hardware loss. c 

Disruptions and delays arc expensive. No one enjoys wor* 'ng franti- 
cally lo re-enier work, do the same job twice, or fix problems while 
new work piles up. Mosl disruptions can be prevented, and the im- 
pact of disruptions can be minimized by advance planning. Proper ^n- 
wrunmciual conditions and power supplies minimize equipment out- 
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ages and information loss Many electrical circuits in office areas do 
not constitute an adequate power source, so dedicated circuits for 
computer systems should be considered. Make certain that your sur- 
roundings meet the essential requirements for correct equipment 
operation. Cover equipment when not in use to protect it from dust, 
water leaks, and other hazards. 

For protection from accidental or deliberate destruction of data, 
regular data backups arc essential. Complete system backups should 
be taken at intervals determined by how quickly information changes 
or by the volume of transactions. Backups should be stored in 
another location, to guard against the possibility of original and back- 
up copies being destroyed by the same fire or other disaster. 

# Maintain the authorized hardware/software con- 
figuration. 

Some organizations have been affected by computer "viruses" ac- 
quired through seemingly useful or innocent software obtained from 
public access bulletin boards or other sources; others have been li- 
able for software illegally copied by employees. The installation of un- 
authoilzed hardware can cause damage, invalidate warranties, or 
have other negative conscq, ences. Install only hardware or software 
that has been acquired through normal acquisition procedures and 
comply with all software licensing agreement requirements. 
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SUMMARY 



Ultimatcl), computer security is the user's responsibility. You, the 
user, must be alert to possible breaches in security and adhere to the 
security regulations that have been established within "our agency. 
The security practices listed arc not inclusive, but rather designed to 
remind you and raise your awareness towards securing your informa- 
tion resources: 

PROTECT YOUR EQUIPMENT 

• Keep it in a secure environment 

• Keep food, drink, and cigarettes AWAY from it 

• Know where the fire suppression equipment is lo- 
cated and know now to me it 

PROTECT YOUR AREA 

• Keep unauthorized people AWAY from your equip- 
ment and data 

• Challenge strangers in your area 
PROTECT YOUR PASSWORD 

• Never write it down or give it to anyone 

• Don V use names, numbers or dates which are per- 
sonally identified with you 

• Change it often, but change t it immediately if you 
think it has been compromised 

PROTECT YOUR FILES 

• Don y t allow unauthorized access to your files and 
data 

• NEVER leave your equipment unattended with 
your password activated - SIGN OFF! 

PROTECT AGAINST VIRUSES 

• Don y t use unauthorized software 

• Back up your files before implementing ANY new 
software 
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LOCK UP STORAGE MEDIA CONTAINING SENSITIVE DATA 

• If the data or information is sensitive or critical to 
your operation, lock it up! 

BACK UP YOUR DATA 

• Keep duplicates of your sensitive data in a safe 
place, out of your imm diate area 

• Back it up as often as necessary 
REPORT SECURITY VIOLATIONS 

• Tell your manager if you see any unauthorized 
changes to your data 

• Immediately report any loss of data or programs, 
whether automated or hard copy 
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For Additional Information 



National Institute of Standards and Technology 

Computer Security Program Office 
A-216 Technology 
Gaithcrsburg, MD 20899 
(301) 975-5200 



For further information on the management of information resour- 
ces, NIST publishes Federal Information Processing Standards 
Publications (FIBS PUBS). These publications deal with many 
aspects of computer security, including password usage, data encryp- 
tion, ADP risk management and contingency planning, and computer 
system security certification and accreditation. A list of current pub- 
lications is available from: 



Standards Processing Coordinator (ADP) 
National Computer Systems Laboratory 
National Institute of Standards and Technology 
Technology Building, B-64 
Gaithcrsburg, MD 20899 
Fhone: (301) 975-2817 
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js published quujtfrU b>r NISI b\ tlie \rnorkan Uirmu.il v'i\ t \^ Si and Jho Atnerkan hsti 
tuU ol Phwivs |-\!h Subv-iiptn 'cpnnts jnd su|>pk in nl*. »rt d\adab!t from AC S 115* Su 
tionth St . N'W Washington 

Building Sc:cnrc Series Disst nunau s tt «. hfkal mKirmatu 'i di \i i -|vd at tin Institute .«n tH»iK''im 
ni tlenaU, Li»niptinents s\st t nis and hole Mru.. tines Uu vtus pio< nt> um ndi umj!;\, hm 
nuthixK and peMur :*aiui uiiu.j related 1. 1 the strikluril a f ul i.i\ n mm ntal tutu turns and ihe 
durahilitv and va'tts >.h ita^tt n\tks of building eletnmts and s\simhs 

1 eclmical Notes Sudusoi t« ;x»rts w hi^h are i <>inpk ii in ilu nisi Ki s hot 'eMHslive ;n ihr.i inai 
men i of a suhii. 'XimIok. «us to monographs but m>i s<> . ompi i lu umn i in svon< <.n dttimtue in 
t ir dtment ol the subnet arei ( )ttm s t i \c as a \t hkle f->r final r\ ports ol work pcitoi uud at Nls I 
under the stH>nv>rsb.ip ol other cowrninent a^etu les 

\ oluntarj Produrt Standard*- Dt\uojx*d undtr pr^tduiis puthslnd h\ ilu D'partnanl ol L.-ui 
nuac tn Part lii I iiU* 1*. oi the Ctnie ot i edtral Regulations Ilu siaudaids evmblish nati mall\ 
it^ogrized requirements lor pr.xiu^ts and provide all loruerrud mtoi .is with a basis Un n>nimon 
understanding ot th« t naras ti i isi s ol the products NISI admnUirs this pto^iam as a suppUnu ut 
to iht act.\itks of the private se\ tor standardizing organizations 

Consumer Information Scrie* PiaUkai intoi -nation, bast d on Nls.1 umjiiIi ami txrH.in.ut, »o\ 
enng area.* ot uuerest to the soriNuuKr I a^ilv understandable language and tllustiatio.js pr^ v ulf u-.t 
ful baskgrounil knowledge lor shopping in t xla\ s u \ hnologual in.uk*. tpla^e 
CM/er the above N/i/ p«htKji'on\ from S;*enr,wrni\nt of lh\ urn, n>\. i/ou mm< K Prmtnn f>/'*.e 
MdiA.rwor, IX WO: 

O'dtr iht follow ing \/.S/ pubi+u'ioni- I IPS and MSJ/Rs in,m ,i« \»:tonui /tt^l'ksU. Int^rnw'* r 
S,'\ne SprintfiiM I 4 »V/o/ 

I ede'ral Information PriKesiing Standard* Publications (TIPS PI H> PuMkatu ns in ihi*- sei ies ^ 
IiLllveh votis'.itute the I edeial Infot niajon Privewmg Standaids Rrgisttr l"lie Registci serves as 
the i>ITicial souut ot intoiniatkui in tht I ederal Gosetnme.it ugatdmu stindaids issued b> NISI 
pursuant to tht I ederal Ptofvrtv and Admuustratise Set sues Act >i M4 * as amentleM, Publk 1 .iw. 

^l)e» (,7*> Stat 112'') and as implemented tv. F xe\uii\c Order I1T I K 1^1* dated Mas 11 
W\) and Part t> of T it'c I < CI R tOxle of F-etleril Regulations) 

NISI Interagency Reports tNISlIR) A special v.ne*s of interim ol final u»H«rts on s*-otk {vil. ttiud 
bs NISI (ot outside sp*msA.is tboth r *« is eminent and ium ^oscinnitnt j In gene.al initial thstnbu 
lion is handittl b\ the spoiiseu pjhlu. distributum bs tht National le^hnkal Infoi tnaliou Seis.^e 
Springfield V \ 22\<>\ in paper K'ps or mkrofkhe form 
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